Confirmed users
569
edits
CA/Vulnerability Disclosure: Difference between revisions
Jump to navigation
Jump to search
m
→Purpose: Added bold and italics
(Added "draft") |
m (→Purpose: Added bold and italics) |
||
| Line 8: | Line 8: | ||
* Security-sensitive information that needs to be shared with Mozilla. | * Security-sensitive information that needs to be shared with Mozilla. | ||
Generally, a Security Vulnerability is a potential weak point that could lead to a security incident if exploited by an attacker, while a Security Incident is any event, breach, or occurrence that poses a threat to the confidentiality, integrity, or availability of a CA Operator’s information assets or computer systems. | Generally, a Security Vulnerability is a potential weak point that could lead to a security incident if exploited by an attacker, while a Security Incident is any event, breach, or occurrence that poses a threat to the confidentiality, integrity, or availability of a CA Operator’s information assets or computer systems. '''A Reportable Vulnerability is ''either'' a vulnerability ''or'' a security incident that has the potential of having a serious adverse effect on the trustworthiness of certificates.''' (Not every vulnerability or cybersecurity incident within a large organization's unrelated business departments needs to be reported. However, CA Operators still need to account for the risk that advanced persistent threats and lateral movements by attackers within the CA Operator's broader infrastructure might affect CA operations.) | ||
A CA Operator MUST initially notify Mozilla about a Reportable Vulnerability as soon as possible and no later than 24 hours of internal identification or notification by an external party. | A CA Operator MUST initially notify Mozilla about a Reportable Vulnerability as soon as possible and no later than 24 hours of internal identification or notification by an external party. | ||